thswlsqls opened a new issue, #17046: URL: https://github.com/apache/iceberg/issues/17046
**Apache Iceberg version** main @ 035fc1e40 **Query engine** N/A — engine-agnostic (Aliyun OSS FileIO client factory) **Please describe the bug** `AliyunClientFactories.DefaultAliyunClientFactory.newOSSClient()` (`aliyun/src/main/java/org/apache/iceberg/aliyun/AliyunClientFactories.java` line 123) always checks RRSA (RAM Roles for Service Accounts) environment variables first, regardless of whether `client.access-key-id`/`client.access-key-secret` are explicitly configured. If a pod has the three RRSA env vars set (auto-injected by Alibaba Cloud ACK when RRSA is enabled on the ServiceAccount), explicit static credentials are silently ignored and replaced with RRSA credentials. The sibling aws module (`AwsClientProperties.credentialsProvider()`, `aws/src/main/java/org/apache/iceberg/aws/AwsClientProperties.java` line 213-239) checks a fully configured static credential pair before falling back to auto-detection. Aliyun's precedence is reversed. **Steps to reproduce** 1. Set `ALIBABA_CLOUD_OIDC_PROVIDER_ARN`, `ALIBABA_CLOUD_ROLE_ARN`, `ALIBABA_CLOUD_OIDC_TOKEN_FILE`. 2. Also configure `client.access-key-id` and `client.access-key-secret` on the catalog (e.g. for cross-account OSS bucket access). 3. Call `newOSSClient()`. Expected: the explicit static credentials are used. Actual: RRSA credentials are used instead, silently overriding the explicit configuration. **Additional context** RRSA support was added in #14443; its review did not consider the interaction with static credentials. No existing open issue/PR covers this precedence conflict. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
